EFF Claims Encrypted Password Is Protected Under 5th Amendment

Defendants can't be forced into providing law enforcement authorities with the encryption key to their laptops, or it becomes self-incrimination, the Electronic Frontier Foundation argued in a court brief filed in a mortgage fraud criminal case.

A mortgage fraud case has
turned into a battle over the Fifth Amendment as the Department of Justice
argued that the government can force individuals to disclose their encryption
pass phrases.
Ramona Camelia Fricosu and
her husband, Scott Anthony Whatcott, were indicted last year for scamming
Colorado Springs residents facing foreclosure. After the FBI obtained search
warrants and seized Fricosu's laptop, agents discovered they could not view the
contents because the laptop drive was encrypted. As a result, the FBI
asked a Colorado federal district court on May 6 to compel Fricosu to enter her
password, arguing that the contents of the drive were included under the
warrants.

The government doesn't need
the passphrase itself and said Fricosu can just type it in to decrypt the drive
without anyone finding out her code. Prosecutors have likened the encryption
key in this case to a physical key used on a safe, arguing that a warrant would
require defendants to hand over the key to open the safe.

"Ms. Fricosu could
enter the password without being observed by the government, or otherwise
provide the unencrypted contents of the [laptop] by means she chose," the
government's lawyers wrote in the brief filed with the court.
The case has wide-ranging
implications for corporations and individuals as data encryption becomes more
common. Recent data breaches have highlighted the importance of encrypting
sensitive data, but the courts have yet to decide whether the government can
compel defendants or suspects in criminal cases to hand up decryption keys.
Fricosu's lawyers argued
that Fricosu's entering the password would be tantamount to self-incrimination
or a violation of the Fifth Amendment. "If agents execute a search warrant
and find, say, a diary handwritten in code, could the target be compelled to
decode, i.e., decrypt, the diary?" Philip Dubois, Fricosu's attorney wrote
in a brief filed July 8.
The Electronic Frontier Foundation
agreed, filing an amicus
curiae brief on the same day. "Ordering the defendant to enter an
encryption password puts her in the situation the Fifth Amendment was designed
to prevent: having to choose between incriminating herself, lying under oath or
risking contempt of court," EFF attorney Marcia Hofmann said.
EFF said the situation was
different from a physical key because the passphrase wasn't on a key chain, but
inside "Fricosu's brain," and the courts have ruled that under the
Fifth Amendment, defendants don't have to provide information they know. The
Supreme Court has ruled in the past that while defendants would be compelled to
turn over a key to open the safe, they couldn't be compelled to provide the
combination to that safe because the numbers qualified as "contents of an
individual's mind."
There is some legal
precedent for both sides of the argument. A federal judge in Michigan ruled in
a child exploitation case in March 2010 that the defendant would not have to
provide his password. In 2009, a Vermont federal judge ruled the opposite in a
similar case. In the Vermont case, the laptop had been seized by border agents.
There is a lesser
expectation of privacy in certain situations, such as the border crossing,
Andrew B. Serwin, chair of the privacy, security & information management
practice at law firm Foley & Lardner, told eWEEK. The courts have defined some areas where the government has
more leeway, Serwin said.
As encryption becomes more
commonplace, it was important to ensure that passphrases and encrypted files
receive full protection under the Fifth Amendment, the EFF said in a statement.
The amount of personal data stored on computers, including correspondence with
family and friends, online activity, financial records and medical information,
need to be protected from the government.
The prosecutors have
provided some limited immunity, but have not provided "assurances"
that none of the data found on the computer would be used as evidence against
Fricosu, the EFF said.
The Department of Justice
said the contents have "evidentiary value," and argued that if
defendants are not required to enter their passwords, "public interests
will be harmed." If the judge decides Fricosu doesn't have to enter her
password, "potential criminals (be it in child exploitation, national
security, terrorism, financial crimes or drug trafficking cases)" would be
able to evade prosecution just by encrypting their data, according to the Justice
Department.
The Justice Department is
not just making up boogeymen to argue its case. The Middle East Media
Research Institute published a paper July 12 detailing how Al-Qaeda began
to use encryption tools for online activities and communications.
"Compelling her to
produce the passphrase also supposes that she 'remembers' it and can produce
it," wrote Cameron Camp, an ESET researcher, noting that the case becomes
trickier if she claims she has "forgotten" the code.
As a last resort, FBI agents
can try to decrypt the device without the password, a process that would
"require significant resources and may harm the Subject Computer,"
the government said.